Bug 2013838

Summary: Different file permission for secrets/user-serving-cert-000/tls.crt and secrets/user-serving-cert-000/tls.key
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: kube-apiserverAssignee: Emily Moss <emoss>
Status: CLOSED NOTABUG QA Contact: Rahul Gangwar <rgangwar>
Severity: high Docs Contact:
Priority: medium    
Version: 4.7CC: aos-bugs, emoss, kvatteka, mfojtik, mirollin, mrobson, pawankum, rgangwar, simore, sttts, surbania, suyama, wking, xxia
Target Milestone: ---Keywords: Reopened
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-27 19:01:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1977730, 2026089    
Bug Blocks:    

Comment 2 Xingxing Xia 2021-10-15 03:33:09 UTC
Will verify later

Comment 3 Xingxing Xia 2021-10-15 14:28:45 UTC
Verified in 4.9.0:
Creating a customer apiserver cert (below openssl commands refer to https://github.com/giantswarm/grumpy/blob/instance_migration/gen_certs.sh):
# CREATE THE PRIVATE KEY FOR OUR CUSTOM CA
openssl genrsa -out certs/ca.key 2048

# GENERATE A CA CERT WITH THE PRIVATE KEY
openssl req -new -x509 -key certs/ca.key -out certs/ca.crt -config certs/ca_config.txt

# CREATE THE PRIVATE KEY FOR OUR SERVER
openssl genrsa -out certs/apiserver.key 2048

# CREATE A CSR FROM THE CONFIGURATION FILE AND OUR PRIVATE KEY
SERVER_HOST=`oc whoami --show-server | grep -o 'api[^:]*'`
openssl req -new -key certs/apiserver.key -subj "/CN=$SERVER_HOST" -out apiserver.csr -config certs/grumpy_config.txt

# CREATE THE CERT SIGNING THE CSR WITH THE CA CREATED BEFORE
openssl x509 -req -in apiserver.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/apiserver.crt

oc create secret tls api-certs --cert=apiserver.crt --key=apiserver.key -n openshift-config

oc patch --type=merge apiserver/cluster -p "
spec:
  servingCerts:
    namedCertificates:
    - servingCertificate:
        name: api-certs
"

Wait for kube-apiserver to finish rollout.

Then enter masters, check:
# ls -lrt /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/
...
drwxr-xr-x. 2 root root  36 Oct 15 14:15 user-serving-cert-000

# ls -l /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000
-rw-------. 1 root root 1675 Oct 15 14:15 tls.key
-rw-------. 1 root root 1261 Oct 15 14:15 tls.crt
They have same 600 permission

Comment 6 errata-xmlrpc 2021-10-26 17:23:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.9.4 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3935